When you use the fetch() API in the browser, you only get a subset of the response headers because of browser security restrictions known as CORS-safelisted response headers.

By default, only a small set of headers (like Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma) are accessible via response.headers.

It would be good to add the names of additional headers to the Access-Control-Expose-Headers header of the preflight request in order for the JavaScript code to access those.

For example the ff:

Retry-After
X-Ratelimit-Limit
X-Ratelimit-Remaining
X-Ratelimit-Reset